Difference between revisions of "PHP"

From wiki
(always_populate_raw_post_data = -1;)
m (fix colouring)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Debian}}{{WIP}}
 
 
 
== Prerequisite ==
 
== Prerequisite ==
  
Line 6: Line 4:
  
 
== Installation ==
 
== Installation ==
 
 
<syntaxhighlight lang="console">
 
<syntaxhighlight lang="console">
# apt install php5-cli php5-fpm php5-apcu
+
$ sudo apt install php-cli php-fpm php-apcu
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
== Configuration ==
 
== Configuration ==
 +
{{Warning|msg=Each version of php has different configuration files. You might need to adapt the 7.0 below to your actual php version. You will also need to redo this after php updates.}}
  
 
=== Common configuration ===
 
=== Common configuration ===
  
In Debian, the different flavour of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behaviour.
+
In Debian, the different flavor of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behavior.
  
Let’s create a common file read by all PHP interpreters.
+
Let’s create a common file read by all PHP interpreters.<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
+
$ echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' | sudo tee /etc/php/7.0/mods-available/local-common.ini > /dev/null
# echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini
+
$ sudo phpenmod -v 7.0 local-common
# php5enmod local-common
+
</syntaxhighlight>Unless specified, all the settings bellow should go to <code>/etc/php/7.0/mods-available/local-common.ini</code>
</syntaxhighlight>
 
  
Unless specified, all the settings bellow should go to <code>/etc/php5/mods-available/local-common.ini</code>
+
=== PHP-FPM ===
  
=== Integrate with Nginx ===
+
==== Integrate with Nginx ====
 
+
Create file <code>/etc/nginx/conf.d/php.conf</code>
Create file <code>/etc/nginx/conf.d/php5.conf</code>
 
 
<syntaxhighlight lang="nginx">
 
<syntaxhighlight lang="nginx">
 
upstream php {
 
upstream php {
     server unix:/var/run/php5-fpm.sock;
+
     server unix:/run/php/php7.0-fpm.sock;
 
}
 
}
 +
</syntaxhighlight>
 +
 +
==== Configure Processes ====
 +
PHP-FPM create processes to handle incoming requests. If it runs out of  available processes, new requests will be put in queue and the users will experience delays.
 +
 +
The number of processes to use will heavily depend on the traffic on your websites and on the available RAM/CPU on your server. To find optimal values check the log file <code>/var/log/php7.0-fpm.log</code>. It will contains warnings when the number of processes need adjustment.
 +
 +
The values to change are present in <code>/etc/php/7.0/fpm/pool.d/www.conf</code>.  A good start point can be<syntaxhighlight lang="ini">
 +
pm = dynamic
 +
pm.max_children = 30
 +
pm.start_servers = 10
 +
pm.min_spare_servers = 5
 +
pm.max_spare_servers = 20
 +
pm.max_requests = 500
 +
 +
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 42: Line 54:
 
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.
 
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.
 
<syntaxhighlight lang="ini">
 
<syntaxhighlight lang="ini">
; Name of the sessionid cookie
+
; Name of the sessionid cookie. Hide PHP and get a smaller cookie
 
session.name = sid
 
session.name = sid
 
; Don't add script name in emails
 
; Don't add script name in emails
Line 76: Line 88:
  
 
By default, PHP allow scripts to read any file on the machine including sensible files like <code>/etc/passwd</code>.
 
By default, PHP allow scripts to read any file on the machine including sensible files like <code>/etc/passwd</code>.
 +
 
The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.
 
The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.
 
<syntaxhighlight lang="ini">
 
<syntaxhighlight lang="ini">
Line 82: Line 95:
 
open_basedir = "/usr/share/php/"
 
open_basedir = "/usr/share/php/"
 
</syntaxhighlight>
 
</syntaxhighlight>
 
+
[[Category:Linux Server]]
==== Limit access to POST data ====
 
<syntaxhighlight lang="ini">
 
; The preferred method for accessing raw POST data is php://input, and $HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0 onwards.
 
; This feature is removed in PHP7
 
always_populate_raw_post_data = -1;
 
</syntaxhighlight>[[Category:Linux Server]]
 
 
[[Category:Web Server]]
 
[[Category:Web Server]]

Latest revision as of 20:07, 5 October 2017

Prerequisite

To use this guide, you will need Nginx installed and configured.

Installation

$ sudo apt install php-cli php-fpm php-apcu

Configuration

Warning Warning: Each version of php has different configuration files. You might need to adapt the 7.0 below to your actual php version. You will also need to redo this after php updates.

Common configuration

In Debian, the different flavor of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behavior.

Let’s create a common file read by all PHP interpreters.

$ echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' | sudo tee /etc/php/7.0/mods-available/local-common.ini > /dev/null
$ sudo phpenmod -v 7.0 local-common

Unless specified, all the settings bellow should go to /etc/php/7.0/mods-available/local-common.ini

PHP-FPM

Integrate with Nginx

Create file /etc/nginx/conf.d/php.conf

upstream php {
    server unix:/run/php/php7.0-fpm.sock;
}

Configure Processes

PHP-FPM create processes to handle incoming requests. If it runs out of available processes, new requests will be put in queue and the users will experience delays.

The number of processes to use will heavily depend on the traffic on your websites and on the available RAM/CPU on your server. To find optimal values check the log file /var/log/php7.0-fpm.log. It will contains warnings when the number of processes need adjustment.

The values to change are present in /etc/php/7.0/fpm/pool.d/www.conf. A good start point can be

pm = dynamic
pm.max_children = 30
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500

Security

PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation.

Hide PHP

It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.

; Name of the sessionid cookie. Hide PHP and get a smaller cookie
session.name = sid
; Don't add script name in emails
mail.add_x_header = 0

Session IDs

By default PHP session IDs are not very random. Let's get some more entropy

; By default, PHP session IDs are not very random
; http://samy.pl/phpwn/ reduce session entropy down to 20 bits
; The settings bellow uses 256 bits of entropy from /dev/urandom
session.entropy_length = 32
; Default is md5
session.hash_function = sha256
; Not security related. Make the session ID cookie a bit shorter
session.hash_bits_per_character = 6

Prevent session fixation attacks

; Don't allow client to choose their session id
session.use_strict_mode = 1
; Hide session cookie from JavaScript
session.cookie_httponly = 1
; Make session cookie work only with HTTPS
; Warning: it might break you application if you don't use HTTPS
session.cookie_secure = 1

Limit File Access

By default, PHP allow scripts to read any file on the machine including sensible files like /etc/passwd.

The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.

; Column separated list of folder to allow inclusion from.
; Eg. "/usr/share/php/:/usr/share/phpmyadmin/"
open_basedir = "/usr/share/php/"